go-msspi patches

Author: deemru

.gitmodules

@@ -0,0 +1,6 @@
+[submodule "src/go-msspi"]
+	path = src/go-msspi
+	url = https://github.com/deemru/go-msspi.git
+[submodule "src/go-pointer"]
+	path = src/go-pointer
+	url = https://github.com/mattn/go-pointer.git

src/crypto/tls/common.go

@@ -525,6 +525,9 @@ const (
 // modified. A Config may be reused; the tls package will also not
 // modify it.
 type Config struct {
+	// msspi
+	msspiConfig bool
+
 	// Rand provides the source of entropy for nonces and RSA blinding.
 	// If Rand is nil, TLS uses the cryptographic random reader in package
 	// crypto/rand.
@@ -1410,6 +1413,9 @@ var writerMutex sync.Mutex
 
 // A Certificate is a chain of one or more certificates, leaf first.
 type Certificate struct {
+	// msspi
+	msspiCert bool
+
 	Certificate [][]byte
 	// PrivateKey contains the private key corresponding to the public key in
 	// Leaf. This must implement crypto.Signer with an RSA, ECDSA or Ed25519 PublicKey.

src/crypto/tls/conn.go

@@ -21,11 +21,18 @@ import (
 	"sync"
 	"sync/atomic"
 	"time"
+
+	"go-msspi"
 )
 
 // A Conn represents a secured connection.
 // It implements the net.Conn interface.
 type Conn struct {
+	// msspi
+	msspiConn bool
+	msspiErr  error
+	msspi     *msspi.Handler
+
 	// constant
 	conn        net.Conn
 	isClient    bool
@@ -1198,6 +1205,31 @@ func (c *Conn) Write(b []byte) (int, error) {
 	c.out.Lock()
 	defer c.out.Unlock()
 
+	// msspi
+	if c.msspiConn {
+		if c.msspi != nil {
+			n, err := c.msspi.Write(b)
+			if n > 0 {
+				return n, err
+			}
+
+			if err == nil {
+				if c.msspi.State(1) {
+					err = net.ErrClosed
+				} else if c.msspi.State(2) {
+					err = errShutdown
+				} else {
+					err = io.EOF
+				}
+			}
+
+			c.out.setErrorLocked(err)
+			return n, c.out.err
+		} else {
+			return 0, net.ErrClosed
+		}
+	}
+
 	if err := c.out.err; err != nil {
 		return 0, err
 	}
@@ -1366,6 +1398,31 @@ func (c *Conn) Read(b []byte) (int, error) {
 	c.in.Lock()
 	defer c.in.Unlock()
 
+	// msspi
+	if c.msspiConn {
+		if c.msspi != nil {
+			n, err := c.msspi.Read(b)
+			if n > 0 {
+				return n, err
+			}
+
+			if err == nil {
+				if c.msspi.State(1) {
+					err = net.ErrClosed
+				} else if c.msspi.State(2) {
+					err = io.EOF
+				} else {
+					err = io.EOF
+				}
+			}
+
+			c.in.setErrorLocked(err)
+			return n, c.in.err
+		} else {
+			return 0, net.ErrClosed
+		}
+	}
+
 	for c.input.Len() == 0 {
 		if err := c.readRecord(); err != nil {
 			return 0, err
@@ -1419,6 +1476,17 @@ func (c *Conn) Close() error {
 		return c.conn.Close()
 	}
 
+	// msspi
+	if c.msspiConn {
+		if c.msspi != nil {
+			err := c.msspi.Close()
+			c.msspi = nil
+			return err
+		} else {
+			return net.ErrClosed
+		}
+	}
+
 	var alertErr error
 	if c.isHandshakeComplete.Load() {
 		if err := c.closeNotify(); err != nil {
@@ -1449,6 +1517,15 @@ func (c *Conn) closeNotify() error {
 	c.out.Lock()
 	defer c.out.Unlock()
 
+	// msspi
+	if c.msspiConn {
+		if c.msspi != nil {
+			return c.msspi.Shutdown()
+		} else {
+			return errShutdown
+		}
+	}
+
 	if !c.closeNotifySent {
 		// Set a Write Deadline to prevent possibly blocking forever.
 		c.SetWriteDeadline(time.Now().Add(time.Second * 5))
@@ -1593,6 +1670,84 @@ func (c *Conn) handshakeContext(ctx context.Context) (ret error) {
 	return c.handshakeErr
 }
 
+// msspi
+// msspiHandshake handshakes msspi
+func (c *Conn) msspiHandshake(ctx context.Context) error {
+	if c.msspi == nil {
+		return c.msspiErr
+	}
+
+	err := c.msspi.Handshake()
+	if err != nil {
+		return err
+	}
+
+	c.vers = c.msspi.VersionTLS()
+	c.cipherSuite = c.msspi.CipherSuite()
+	c.clientProtocol = c.msspi.ClientProtocol()
+
+	if c.config.ServerName != "" {
+		c.serverName = c.config.ServerName
+	}
+
+	var isPeerCertsRequest bool
+	var isPeerCertsRequire bool
+	var isPeerCertsVerify bool
+
+	if c.isClient {
+		isPeerCertsRequest = true
+		isPeerCertsRequire = true
+		isPeerCertsVerify = !c.config.InsecureSkipVerify
+	} else {
+		isPeerCertsRequest = c.config.ClientAuth != NoClientCert
+		isPeerCertsRequire = requiresClientCert(c.config.ClientAuth)
+		isPeerCertsVerify = c.config.ClientAuth >= VerifyClientCertIfGiven
+	}
+
+	if isPeerCertsRequest {
+		certificates := c.msspi.PeerCertificates()
+
+		certs := make([]*x509.Certificate, len(certificates))
+		for i, asn1Data := range certificates {
+			cert, err := x509.ParseCertificate(asn1Data)
+			if err == nil {
+				certs[i] = cert
+			}
+		}
+
+		c.peerCertificates = certs
+	}
+
+	isPeerCerts := len(c.peerCertificates) != 0
+
+	if isPeerCertsRequire && !isPeerCerts {
+		return errors.New("tls: peer didn't provide a certificate")
+	}
+
+	if isPeerCertsVerify && isPeerCerts {
+		certificates := c.msspi.VerifiedChains()
+
+		if certificates == nil {
+			return errors.New("tls: failed to verify peer certificate")
+		}
+
+		certs := make([]*x509.Certificate, len(certificates))
+		for i, asn1Data := range certificates {
+			cert, err := x509.ParseCertificate(asn1Data)
+			if err == nil {
+				certs[i] = cert
+			}
+		}
+
+		var verifiedChains [][]*x509.Certificate
+		c.verifiedChains = append(verifiedChains, certs)
+	}
+
+	atomic.StoreUint32(&c.handshakeStatus, 1)
+
+	return nil
+}
+
 // ConnectionState returns basic TLS details about the connection.
 func (c *Conn) ConnectionState() ConnectionState {
 	c.handshakeMutex.Lock()

src/crypto/tls/tls.go

@@ -25,6 +25,8 @@ import (
 	"net"
 	"os"
 	"strings"
+
+	"go-msspi"
 )
 
 // Server returns a new TLS server side connection
@@ -37,6 +39,28 @@ func Server(conn net.Conn, config *Config) *Conn {
 		config: config,
 	}
 	c.handshakeFn = c.serverHandshake
+
+	// msspi
+	if msspi.ByDefault || c.config.msspiConfig || (len(c.config.Certificates) > 0 && c.config.Certificates[0].msspiCert) {
+		c.msspiConn = true
+		c.handshakeFn = c.msspiHandshake
+
+		CertificateBytes := [][]byte{}
+		for _, cert := range config.Certificates {
+			CertificateBytes = append(CertificateBytes, cert.Certificate[0])
+		}
+
+		c.msspi, c.msspiErr = msspi.Server(&c.conn, CertificateBytes, c.config.ClientAuth != NoClientCert)
+
+		if c.msspi == nil {
+			return c
+		}
+
+		if len(config.NextProtos) > 0 {
+			c.msspi.SetNextProtos(config.NextProtos)
+		}
+	}
+
 	return c
 }
 
@@ -51,6 +75,28 @@ func Client(conn net.Conn, config *Config) *Conn {
 		isClient: true,
 	}
 	c.handshakeFn = c.clientHandshake
+
+	// msspi
+	if msspi.ByDefault || c.config.msspiConfig || (len(c.config.Certificates) > 0 && c.config.Certificates[0].msspiCert) {
+		c.msspiConn = true
+		c.handshakeFn = c.msspiHandshake
+
+		CertificateBytes := [][]byte{}
+		for _, cert := range config.Certificates {
+			CertificateBytes = append(CertificateBytes, cert.Certificate[0])
+		}
+
+		c.msspi, c.msspiErr = msspi.Client(&c.conn, CertificateBytes, c.config.ServerName)
+
+		if c.msspi == nil {
+			return c
+		}
+
+		if len(config.NextProtos) > 0 {
+			c.msspi.SetNextProtos(config.NextProtos)
+		}
+	}
+
 	return c
 }
 
@@ -245,6 +291,14 @@ func LoadX509KeyPair(certFile, keyFile string) (Certificate, error) {
 func X509KeyPair(certPEMBlock, keyPEMBlock []byte) (Certificate, error) {
 	fail := func(err error) (Certificate, error) { return Certificate{}, err }
 
+	// msspi
+	if bytes.Equal(certPEMBlock, keyPEMBlock) {
+		var cert Certificate
+		cert.Certificate = append(cert.Certificate, certPEMBlock)
+		cert.msspiCert = true
+		return cert, nil
+	}
+
 	var cert Certificate
 	var skippedBlockTypes []string
 	for {

src/go-msspi

@@ -0,0 +1,59 @@
+package msspitest
+
+import (
+	"crypto/tls"
+	"fmt"
+	"log"
+	"net"
+	"net/http"
+	"runtime"
+	"testing"
+	"time"
+)
+
+func clientGet(t *testing.T, host string, uri string) []byte {
+	conn, err := net.DialTimeout("tcp", fmt.Sprintf("%s:%d", host, 44333), 2*time.Second)
+	if err != nil {
+		t.Fatalf("Unexpected error on dial: %v", err)
+	}
+	defer conn.Close()
+
+	tlsConn := tls.Client(conn, &tls.Config{InsecureSkipVerify: true})
+	defer tlsConn.Close()
+
+	wbuf := []byte("GET " + uri + " HTTP/1.1\r\nHost: " + host + "\r\n\r\n")
+	if wlen, err := tlsConn.Write(wbuf); wlen != len(wbuf) || err != nil {
+		t.Fatalf("Error sending: %v", err)
+	}
+
+	rbuf := make([]byte, 16384)
+	if rlen, err := tlsConn.Read(rbuf); rlen == 0 || err != nil {
+		t.Fatalf("Error reading: %v", err)
+		return nil
+	} else {
+		return rbuf[:rlen]
+	}
+}
+
+func HelloServer(w http.ResponseWriter, req *http.Request) {
+	w.Header().Set("Content-Type", "text/plain")
+	w.Write([]byte("This is an example server.\n"))
+}
+
+func RunServer() {
+	http.HandleFunc("/hello", HelloServer)
+	err := http.ListenAndServeTLS(":44333", "server.crt", "server.crt", nil)
+	if err != nil {
+		log.Fatal("ListenAndServe: ", err)
+	}
+}
+func TestMsspiServer(t *testing.T) {
+	go RunServer()
+	rbuf := clientGet(t, "localhost", "/hello")
+	s := string(rbuf)
+	fmt.Printf(s + "\n")
+	for i := 0; i < 9999999; i++ {
+		time.Sleep(time.Second)
+		runtime.GC()
+	}
+}